Torjus Håkestad
7fcc043a4d
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Enable Linux audit to log execve syscalls from interactive SSH sessions.
Uses auid filter to exclude system services and nix builds.
Logs forwarded to journald for Loki ingestion. Query with:
{host="testvmXX"} |= "EXECVE"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
22 lines
734 B
Nix
22 lines
734 B
Nix
# SSH session command auditing
|
|
#
|
|
# Logs all commands executed by users who logged in interactively (SSH).
|
|
# System services and nix builds are excluded via auid filter.
|
|
#
|
|
# Logs are sent to journald and forwarded to Loki via promtail.
|
|
# Query with: {host="<hostname>"} |= "EXECVE"
|
|
{
|
|
# Enable Linux audit subsystem
|
|
security.audit.enable = true;
|
|
security.auditd.enable = true;
|
|
|
|
# Log execve syscalls only from interactive login sessions
|
|
# auid!=4294967295 means "audit login uid is set" (excludes system services, nix builds)
|
|
security.audit.rules = [
|
|
"-a exit,always -F arch=b64 -S execve -F auid!=4294967295"
|
|
];
|
|
|
|
# Forward audit logs to journald (so promtail ships them to Loki)
|
|
services.journald.audit = true;
|
|
}
|